Rat5ak/Rat5ak-Nadsec-2026-CVE-CERTIFIED-HOOD-CLASSICS

# Rat5ak / NadSec - 2026 CVE 认证硬核经典 这是我 2026 年公开的 CVE、writeup、PoC、补丁、安全公告， 以及相关极客活动的持续更新列表。 Blog: https://www.nadsec.online/blog GitHub: https://github.com/Rat5ak Medium: https://medium.com/@Nadsec ## Linux ### CVE-2026-31413 - BPF verifier/runtime 分歧 → 容器逃逸 一个 Linux BPF verifier 可靠性 Bug。verifier 认为标量值为 `0`； 而 runtime 却有不同的值。这种欺骗行为会转化为越界的 BPF map 访问，并且在我的实验链中，实现了 container escape 到 host root。 Links: - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31413 - NadSec writeup/demo: https://www.nadsec.online/blog/bpf-container-escape - GitHub repo / PoC / patches: https://github.com/Rat5ak/CVE-2026-31413-BPF-Container-Escape - Mainline fix commit: https://github.com/torvalds/linux/commit/c845894ebd6f - Patch series: https://lore.kernel.org/r/20260314021521.128361-1-danjwade95@gmail.com ## curl ### CVE-2026-3805 - SMB 连接重用 use-after-free curl/libcurl 的 SMB 连接重用路径中存在 use-after-free。重用的 SMB 连接可能保留一个悬空的请求路径指针，从而导致崩溃或 向 SMB server 泄露 heap info。 Links: - curl advisory: https://curl.se/docs/CVE-2026-3805.html - GitHub repo / writeup / PoC: https://github.com/Rat5ak/CVE-2026-3805-curl-SMB-UAF - CVE record: https://www.cve.org/CVERecord?id=CVE-2026-3805 - Fixed commit: https://github.com/curl/curl/commit/e090be9f73a7a71459ef678c ## WordPress ### CVE-2026-40791：一个预订时段到 Admin 的 XSS WP Time Slots Booking Form 允许公共预订提交通过 time-slot parser 利用制表符分隔符走私 SVG payload。plugin 将其存储 为预约时段，然后未转义地输出到 admin 的 Booking Orders 页面。植入该 payload 无需任何账户；当 admin 查看已保存的预订时，就会触发 JavaScript。 Links: - GitHub repo / writeup / PoC: https://github.com/Rat5ak/CVE-2026-40791-WP-Time-Slots-Booking-Form-XSS - Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-time-slots-booking-form/wp-time-slots-booking-form-1246-unauthenticated-stored-cross-site-scripting - Patchstack advisory: https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-46-cross-site-scripting-xss-vulnerability - WordPress plugin: https://wordpress.org/plugins/wp-time-slots-booking-form/ ## OpenBSD ### CVE-2026-41285 - slaacd/rad 零长度 ND 选项无限循环 一个诡异的 IPv6 Neighbor Discovery 长度字节让 `slaacd(8)` 和 `rad(8)` 永久死循环。Local-link DoS，无需身份验证，也无需用户交互。IPv6 autoconfig 会直接瘫痪，直到重启 daemon 才能恢复。 Links: - Repo / writeup: https://github.com/Rat5ak/CVE-2026-41285-OpenBSD-v6daemons-go-brrr - CVE: https://www.cve.org/CVERecord?id=CVE-2026-41285 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41285 - OpenBSD fix: https://github.com/openbsd/src/commit/086c5738bcd3c203bcc08d024fcf983cb409115f - OpenBSD errata: https://www.openbsd.org/errata78.html

标签：PoC, Web安全, Web报告查看器, 容器逃逸, 暴力破解, 漏洞披露, 蓝队分析